fix: [stix2 import] Better `external_references` parsing for attack patterns objects

2022-08-09 15:48:57 +02:00 · 2022-08-09 15:48:57 +02:00 · 7da6f26520
parent 28d74b08ea
commit 7da6f26520
2 changed files with 14 additions and 5 deletions
--- a/app/files/scripts/stix2/stix2misp.py
+++ b/app/files/scripts/stix2/stix2misp.py
@ -1325,12 +1325,19 @@ class ExternalStixParser(StixParser):
        else:
            misp_object = self.create_misp_object(attack_pattern)
            if hasattr(attack_pattern, 'external_references'):
+                references = defaultdict(set)
                for reference in attack_pattern.external_references:
-                    source_name = reference['source_name']
-                    value = reference['external_id'].split('-')[1] if source_name == 'capec' else reference['url']
-                    attribute = deepcopy(stix2misp_mapping.attack_pattern_references_mapping[source_name]) if source_name in stix2misp_mapping.attack_pattern_references_mapping else stix2misp_mapping.references_attribute_mapping
-                    attribute['value'] = value
-                    misp_object.add_attribute(**attribute)
+                    if hasattr(reference, 'url'):
+                        references['references'].add(reference.url)
+                    if hasattr(reference, 'external_id'):
+                        external_id = reference.external_id
+                        references['id'].add(external_id.split('-')[1] if external_id.startswith('CAPEC-') else external_id)
+                if references:
+                    for feature, values in references.items():
+                        for value in values:
+                            attribute = {'value': value}
+                            attribute.update(getattr(stix2misp_mapping, f'attack_pattern_{feature}_attribute'))
+                            misp_object.add_attribute(**attribute)
            self.fill_misp_object(misp_object, attack_pattern, 'attack_pattern_mapping')
            self.misp_event.add_object(**misp_object)

--- a/app/files/scripts/stix2/stix2misp_mapping.py
+++ b/app/files/scripts/stix2/stix2misp_mapping.py
@ -193,6 +193,8 @@ single_attribute_fields = ('type', 'value', 'to_ids')

 address_family_attribute_mapping = {'type': 'text','object_relation': 'address-family'}
 as_number_attribute_mapping = {'type': 'AS', 'object_relation': 'asn'}
+attack_pattern_id_attribute = {'type': 'text', 'object_relation': 'id'}
+attack_pattern_references_attribute = {'type': 'link', 'object_relation': 'references'}
 description_attribute_mapping = {'type': 'text', 'object_relation': 'description'}
 asn_subnet_attribute_mapping = {'type': 'ip-src', 'object_relation': 'subnet-announced'}
 cc_attribute_mapping = {'type': 'email-dst', 'object_relation': 'cc'}